tcell_agent 0.2.29 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ef449abceb02a45432746a68e50989438292c9c0
-  data.tar.gz: 1b8ce68123c46d3a12cbc2262e4125948973ecf5
+  metadata.gz: 521d6057316a3d03d8f1b69dab4419c22bd52f08
+  data.tar.gz: 8296679382ce95cbc764e8cddcc2f5a42b8ce87b
 SHA512:
-  metadata.gz: ac50286364897b7743cfd3dcfa9ed539f425142311b2eb675167a3362a84ba23c581ddb72342923723c35eeb3fbef7f4d0bc3b10ef4ff4ad0490b44fcd68a2f9
-  data.tar.gz: a0b0b0e374279de26805a4710f13217c7682f58901621dd8b430f64d6a322aef4b6aa15f4441c2c26043249dca75b1b5cb4f41525faeac84c22264438c719475
+  metadata.gz: b8c8463350c03e01fe5d0a3da334500df9c81047bf8b5ce20378c4840ee9659523aa1ee44233aa18f27ac8f51977d5f3a36c5cc4f566e5f641ab745ace18a5f1
+  data.tar.gz: 44fd7f23e32263bab9643e33a3befab20e1f3848258c80055e663911f4f1607a53672426fcfff066094bcc13e759bd6df8eaad41f2b777d54acf9b83f374df51

data/Readme.txt

@@ -0,0 +1,7 @@
+Config goes in config/tcell_agent.config
+Fill in API key, Company Name, App Name
+
+You can add 
+        "tcell_api_url":"http://10.0.2.2:8000/api/v1",
+        "tcell_input_url":"http://10.0.2.2:3000"
+to specify other servers to use

data/bin/tcell_agent

@@ -268,6 +268,15 @@ elsif (command == 'test')
     Kernel.exit(1)
   end
   puts "passed"
+
+  printf "%-50s", "Loading native library... "
+  require 'tcell_agent/rust/whisperer'
+  if !TCellAgent::Rust::Wrapper.common_lib_available?
+    puts "failed"
+    Kernel.exit(1)
+  end
+  puts "passed"
+
   puts
   puts "all tests passed, looks good."
   puts "done."

data/lib/tcell_agent/agent/policy_manager.rb

@@ -141,10 +141,13 @@ module TCellAgent
           new_policy = policy_class.from_json(policy_jsons[policy_type])
           if new_policy
             @lock.synchronize do
+              old_policy = @policies[policy_type]
               @policies[policy_type] = new_policy
               if cache_the_policy
                cache(policy_type, policy_jsons[policy_type])
               end
+
+              old_policy.free_native_memory if old_policy
             end
           end
         end

data/lib/tcell_agent/agent/policy_types.rb

@@ -13,6 +13,7 @@ require "tcell_agent/policies/appsensor_policy"
 require "tcell_agent/policies/login_fraud_policy"
 require "tcell_agent/policies/dataloss_policy"
 require "tcell_agent/policies/patches_policy"
+require "tcell_agent/policies/command_injection_policy"
 
 module TCellAgent
   class PolicyTypes
@@ -26,6 +27,7 @@ module TCellAgent
     LoginFraud = "login"
     DataLoss = "dlp"
     Patches = "patches"
+    CommandInjection = "cmdi"
 
     ClassMap = {
       CSP=>TCellAgent::Policies::ContentSecurityPolicy,
@@ -37,7 +39,8 @@ module TCellAgent
       HoneyTokens=>TCellAgent::Policies::HoneytokensPolicy,
       LoginFraud=>TCellAgent::Policies::LoginFraudPolicy,
       DataLoss=>TCellAgent::Policies::DataLossPolicy,
-      Patches=>TCellAgent::Policies::PatchesPolicy
+      Patches=>TCellAgent::Policies::PatchesPolicy,
+      CommandInjection=>TCellAgent::Policies::CommandInjectionPolicy
     }
 
   end

data/lib/tcell_agent/appsensor/injections_matcher.rb

@@ -1,3 +1,12 @@
+require 'tcell_agent/policies/appsensor/cmdi_sensor'
+require 'tcell_agent/policies/appsensor/fpt_sensor'
+require 'tcell_agent/policies/appsensor/nullbyte_sensor'
+require 'tcell_agent/policies/appsensor/retr_sensor'
+require 'tcell_agent/policies/appsensor/sqli_sensor'
+require 'tcell_agent/policies/appsensor/xss_sensor'
+require 'tcell_agent/utils/params'
+
+
 module TCellAgent
   module AppSensor
 
@@ -7,6 +16,7 @@ module TCellAgent
       JSON_PARAM = TCellAgent::Utils::Params::JSON_PARAM
       COOKIE_PARAM = TCellAgent::Utils::Params::COOKIE_PARAM
       URI_PARAM = TCellAgent::Utils::Params::URI_PARAM
+      HEADER_PARAM = TCellAgent::Utils::Params::HEADER_PARAM
 
       DETECTION_POINTS_V2 = {
         "xss" => TCellAgent::Policies::XssSensor,
@@ -75,6 +85,16 @@ module TCellAgent
             yield(injection_attempt) if injection_attempt
           end
         end
+
+        meta_data.flattened_headers_dict.each do |param_name, param_value|
+          TCellAgent::Instrumentation.safe_block("AppSensor Check HEADER var injections") do
+            param_name = param_name[-1]
+            injection_attempt =
+              check_param_for_injections(HEADER_PARAM, meta_data, param_name, param_value)
+
+            yield(injection_attempt) if injection_attempt
+          end
+        end
       end
 
       def check_param_for_injections(param_type, appsensor_meta, param_name, param_value)

data/lib/tcell_agent/appsensor/injections_reporter.rb

@@ -1,68 +1,27 @@
-require 'tcell_agent/appsensor/sensor'
-require 'tcell_agent/utils/params'
+require 'tcell_agent/sensor_events/appsensor_event'
 
 
 module TCellAgent
   module AppSensor
 
-    class InjectionsReporter
-      GET_PARAM = TCellAgent::Utils::Params::GET_PARAM
-      POST_PARAM = TCellAgent::Utils::Params::POST_PARAM
-      JSON_PARAM = TCellAgent::Utils::Params::JSON_PARAM
-      COOKIE_PARAM = TCellAgent::Utils::Params::COOKIE_PARAM
-      URI_PARAM = TCellAgent::Utils::Params::URI_PARAM
-
-      PARAM_TYPE_TO_L = {
-        GET_PARAM => 'query',
-        POST_PARAM => 'body',
-        JSON_PARAM => 'body',
-        URI_PARAM => 'uri',
-        COOKIE_PARAM => 'cookie'
-      }
-
-      attr_accessor :injections_matcher, :payloads_policy, :collect_full_uri
-
-      def initialize(injections_matcher, payloads_policy, collect_full_uri)
-        @injections_matcher = injections_matcher
-        @payloads_policy = payloads_policy
-        @collect_full_uri = collect_full_uri
-      end
-
-      def check(appsensor_meta)
-        @injections_matcher.each_injection(appsensor_meta) do |injection_attempt|
-          vuln_param = injection_attempt.param_name
-          type_of_param = injection_attempt.type_of_param
-
-          meta = {"l" => PARAM_TYPE_TO_L[type_of_param]}
-          pattern = injection_attempt.pattern
-
-          payload = @payloads_policy.apply(
-            injection_attempt.detection_point,
-            appsensor_meta,
-            type_of_param,
-            vuln_param,
-            injection_attempt.param_value,
-            meta,
-            pattern
+    module InjectionsReporter
+      def self.report_and_log(events)
+        (events || []).each do |event|
+          TCellAgent.send_event(
+            TCellAgent::SensorEvents::TCellAppSensorEvent.build_from_native_lib_event(event)
           )
 
-          TCellAgent::AppSensor::Sensor.send_event(
-            appsensor_meta,
-            injection_attempt.detection_point,
-            vuln_param,
-            meta,
-            payload,
-            pattern,
-            @collect_full_uri)
-        end
-      end
-
-      def self.from_json(version, data_json, payloads_policy, collect_full_uri=false)
-        injections_matcher = InjectionsMatcher.from_json(version, data_json)
+          if event.has_key?("full_payload")
+            event_to_log = {}.merge(event)
+            event_to_log["payload"] = event_to_log.delete("full_payload")
 
-        InjectionsReporter.new(injections_matcher, payloads_policy, collect_full_uri)
+            cleaned_event = TCellAgent::SensorEvents::TCellAppSensorEvent.build_from_native_lib_event(
+              event_to_log
+            )
+            TCellAgent.logger.info(JSON.dump(cleaned_event))
+          end
+        end
       end
-
     end
 
   end

data/lib/tcell_agent/appsensor/meta_data.rb

@@ -7,16 +7,52 @@ module TCellAgent
 
     class MetaData < TCellAgent::SensorEvents::TCellSensorEvent
 
-      attr_accessor :get_dict, :post_dict, :body_dict, :cookie_dict, :path_parameters
+      attr_accessor :get_dict, :post_dict, :body_dict, :cookie_dict, :path_parameters,
+        :remote_address, :method, :route_id, :session_id, :user_id, :transaction_id
 
-      def initialize
+      attr_reader :headers_dict
+
+      def initialize(method, remote_address, route_id, session_id, user_id, transaction_id)
         @send = false
 
+        @method = method
+        @remote_address = remote_address
+        @route_id = route_id
+        @session_id = session_id
+        @user_id = user_id
+        @transaction_id = transaction_id
+
         @body_dict = {}
         @get_dict = {}
         @post_dict = {}
         @cookie_dict = {}
         @path_parameters = {}
+        @headers_dict = {}
+      end
+
+      def get_dict=(value)
+        @flattened_get_dict = nil
+        @get_dict = value
+      end
+
+      def body_dict=(value)
+        @flattened_body_dict = nil
+        @body_dict = value
+      end
+
+      def post_dict=(value)
+        @flattened_post_dict = nil
+        @post_dict = value
+      end
+
+      def cookie_dict=(value)
+        @flattened_cookie_dict = nil
+        @cookie_dict = value
+      end
+
+      def path_parameters=(value)
+        @flattened_path_parameters = nil
+        @path_parameters = value
       end
 
       def flattened_path_parameters
@@ -47,6 +83,24 @@ module TCellAgent
         @flattened_cookie_dict
       end
 
+      def flattened_headers_dict
+        @flattened_headers_dict ||= TCellAgent::Utils::Params.flatten(@headers_dict)
+
+        @flattened_headers_dict
+      end
+
+      def set_headers_dict(env)
+        @flattened_headers_dict = nil
+        @headers_dict = env.select { |k,v|
+          header_downcased = k.downcase
+          (header_downcased != "http_cookie" && header_downcased.start_with?('http_')) ||
+            ["content_type", "content_length"].include?(header_downcased)
+        }.inject({}) { |memo, (k,v)|
+          memo[k.downcase.sub(/^http_/, '').gsub('_', '-')] = v
+          memo
+        }
+      end
+
       def set_body_dict(request_content_bytes_len, request_content_type, request_body)
         if request_content_bytes_len > 2000000
           @body_dict = {}